d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ce16585796
freebsd-dev/sbin
History
Stephen J. Kiernan ce16585796 This application (veriexecctl) handles reading a fingerprints file 
containing paths, fingerprints, and optional option flags which in turn
get pushed into the MAC/veriexec meta-data store via the veriexec device.

The format of the fingerprints file is as follows:
path type fingerprint options

The type of fingerprint supported depends on what MAC/veriexec fingerprint
modules have been loaded into the system. The veriexecctl application is
able to determine which ones are available by consulting the
security.mac.veriexec.algorithms sysctl.

The following options are currently supported in MAC/veriexec and by the
veriexecctl application:

indirect
  If this option is set then the executable cannot be invoked directly, it
  can only be used as an interpreter in shell scripts.
file
  Indicates that the fingerprint is associated with a file, not an
  executable. Files have their fingerprints verified during open(2) and are
  automatically made read only. This option may be used to verify shared
  libraries have not been tampered with.
no_ptrace
  If this option is set then the executable cannot be traced with the
  ptrace(2) process tracing and debugging call.
trusted
  If this option is set then the executable is allowed to write to the
  mem(4) devices. By default, when verified execution is enforced, no
  process is allowed to write to the mem(4) devices.

The options are not case sensitive.

Reviewed by:	jtl, wblock
Obtained from:	Juniper Networks, Inc.
Differential Revision:	https://reviews.freebsd.org/D8575
2018-06-20 01:08:54 +00:00
..
adjkerntz various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
bsdlabel General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
camcontrol NVME support is only for x86 and powerpc64. 2018-06-14 01:15:19 +00:00
ccdconfig ccdconfig: Move VCS tags to be more consistent with our style. 2017-12-30 00:26:42 +00:00
clri Refactoring of reading and writing of the UFS/FFS superblock. 2018-01-26 00:58:32 +00:00
comcontrol various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
conscontrol various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
ddb ddb: unbreak ppc 2018-06-17 00:00:24 +00:00
decryptcore Convert cap_enter() < 0 && errno != ENOSYS to caph_enter() < 0. 2018-06-19 23:43:14 +00:00
devd devd: drop WARNS back down to 3 until 6 actually works with GCC 2018-05-24 01:12:06 +00:00
devfs other: Fix several typos and minor errors 2017-12-27 03:23:58 +00:00
devmatch Exit with an error if a linker hints file can't be found. 2018-06-14 22:31:30 +00:00
dhclient Convert cap_enter() < 0 && errno != ENOSYS to caph_enter() < 0. 2018-06-19 23:43:14 +00:00
dmesg General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
dump Revert size limits. 2018-06-11 20:38:30 +00:00
dumpfs The goal of this change is to prevent accidental foot shooting by 2018-02-08 23:06:58 +00:00
dumpon Convert cap_enter() < 0 && errno != ENOSYS to caph_enter() < 0. 2018-06-19 23:43:14 +00:00
etherswitchcfg Finish removing FDDI and tokenring media support. 2018-04-23 21:10:33 +00:00
fdisk DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
ffsinfo spdx: initial adoption of licensing ID tags. 2017-11-18 14:26:50 +00:00
fsck various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
fsck_ffs Revert r313780 (UFS_ prefix) 2018-03-17 12:59:55 +00:00
fsck_msdosfs Don't bail out from the check if readboot() returns !FSFATAL. 2018-04-30 05:57:55 +00:00
fsdb When using the fsdb `blocks' command, replace the long and ugly list of 2018-04-08 07:06:12 +00:00
fsirand Refactoring of reading and writing of the UFS/FFS superblock. 2018-01-26 00:58:32 +00:00
gbde various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
geom gpart: add EFI alias for MBR partition scheme 2018-06-17 20:10:48 +00:00
ggate various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
growfs Refactoring of reading and writing of the UFS/FFS superblock. 2018-01-26 00:58:32 +00:00
gvinum gvinum: revert WARNS change in Makefile 2018-06-17 01:39:22 +00:00
hastctl various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
hastd various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
ifconfig Make the name of option that toggles IFCAP_HWRXTSTMP capability to 2018-05-18 12:12:24 +00:00
init Improve missing tty handling in init(8). This removes a check that did 2018-02-27 10:54:15 +00:00
ipf rescue ipf: Remove hacks and link in libipf directly. 2017-11-10 07:52:58 +00:00
ipfw Fix the printing of rule comments. 2018-05-10 12:25:01 +00:00
iscontrol various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
kldconfig various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
kldload various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
kldstat kldstat: align "Size" to the right 2018-05-26 05:15:07 +00:00
kldunload various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
ldconfig ldconfig(8): use .Nm instead of 'ldconfig' 2018-01-09 06:51:41 +00:00
md5 Convert cap_enter() < 0 && errno != ENOSYS to caph_enter() < 0. 2018-06-19 23:43:14 +00:00
mdconfig various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
mdmfs various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
mknod General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
mksnap_ffs various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
mount vfs_donmount: in certain cases try r/o mount if r/w mount fails 2018-03-27 14:31:42 +00:00
mount_cd9660 General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
mount_fusefs various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
mount_msdosfs various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
mount_nfs General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
mount_nullfs General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
mount_udf General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
mount_unionfs General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
nandfs various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
natd DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
newfs Revert r313780 (UFS_ prefix) 2018-03-17 12:59:55 +00:00
newfs_msdos Added option to cluster-align the start of the root directory. 2018-06-15 06:03:40 +00:00
newfs_nandfs various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
nfsiod General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
nos-tun various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
nvmecontrol Make it possible to use print_controller from another program 2018-06-13 22:00:02 +00:00
pfctl pf: Return non-zero from 'status' if pf is not enabled 2018-06-06 19:36:37 +00:00
pflogd DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
ping General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
ping6 General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
quotacheck quotacheck: build with WARNS=3 2018-06-16 23:47:59 +00:00
rcorder various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
reboot Clarify that boot_mute / boot -m mutes kernel console only 2018-05-16 02:15:18 +00:00
recoverdisk SPDX: use the Beerware identifier. 2017-11-30 20:33:45 +00:00
resolvconf sbin: normalize paths using SRCTOP-relative paths or :H when possible 2017-03-04 11:33:01 +00:00
restore Revert r313780 (UFS_ prefix) 2018-03-17 12:59:55 +00:00
route Fix memory leaks in route(8). 2018-03-31 15:06:14 +00:00
routed When bind fails, make sure we closed the socket we tried to bind the 2017-12-28 05:34:24 +00:00
rtsol DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
savecore The extension for zstd-compressed files is ".zst". 2018-05-29 16:04:53 +00:00
sconfig DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
setkey General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
shutdown shutdown: Fix r327476 by adding init 2018-01-02 09:02:42 +00:00
spppcontrol various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
sunlabel General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
swapon General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
sysctl Permit sysctl(8) to set an array of numeric values for a single node. 2018-03-09 23:37:19 +00:00
tests Merge ^/user/ngie/release-pkg-fix-tests to unbreak how test files are installed 2016-05-04 23:20:53 +00:00
tunefs Revert r313780 (UFS_ prefix) 2018-03-17 12:59:55 +00:00
umount General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
veriexecctl This application (veriexecctl) handles reading a fingerprints file 2018-06-20 01:08:54 +00:00
zfsbootcfg DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
Makefile NVME support is only for x86 and powerpc64. 2018-06-14 01:15:19 +00:00
Makefile.amd64 NVME support is only for x86 and powerpc64. 2018-06-14 01:15:19 +00:00
Makefile.arm
Makefile.i386 NVME support is only for x86 and powerpc64. 2018-06-14 01:15:19 +00:00
Makefile.inc Use src.opts.mk in preference to bsd.own.mk except where we need stuff 2014-05-06 04:22:01 +00:00
Makefile.mips
Makefile.powerpc64 NVME support is only for x86 and powerpc64. 2018-06-14 01:15:19 +00:00
Makefile.sparc64